Bug 1739242
Summary: | False positives for audit rules after remediation | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Kwan Lowe <kwan> |
Component: | scap-security-guide | Assignee: | Matěj Týč <matyc> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | --- | CC: | ggasparb, mhaicman, wsato |
Target Milestone: | rc | ||
Target Release: | 8.1 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | scap-security-guide-0.1.46-1.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-05 21:17:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kwan Lowe
2019-08-08 20:14:42 UTC
On manual check, I confirmed that the audit rule is working by tailing /var/log/audit.log then creating a file and chmod'ing (touch foo; chmod 650 foo). type=SYSCALL msg=audit(1565293919.182:48514): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55a39281f670 a2=1b5 a3=fff items=1 ppid=10210 pid=10254 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=60 comm="chmod" exe="/usr/bin/chmod" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="perm_mod"ARCH=x86_64 SYSCALL=fchmodat AUID="ec2-user" UID="ec2-user" GID="ec2-user" EUID="ec2-user" SUID="ec2-user" FSUID="ec2-user" EGID="ec2-user" SGID="ec2-user" FSGID="ec2-user" type=CWD msg=audit(1565293919.182:48514): cwd="/home/ec2-user" Looks like same as this: https://bugzilla.redhat.com/show_bug.cgi?id=1465675 I have changed the category - scap-workbench is just a GUI for OpenSCAP scanner, and the problem comes from wrong combination of check and remediation in the content, so it is a scap-security-guide issue. The link from your previous comment is supposed to be fixed in RHEL8 as it is based on a later upstream issue, so this one is something else. You have not explicitly mentioned whether the system in question is a freshly installed one, or whether it already has some configuration changes, could you pleas clarify that? And finally, if you are a RHEL subscriber, could you please reach to the customer support and open a case that could be attached to this Bugzilla? Matěj: Thank you for the response. The remediation was run on a freshly installed RHEL8 from Amazon AWS Marketplace. I believe that this image is Red Hat maintained. No other configurations were added except to install the scanner. I will open a case through the Portal. Thank you! Support Case https://access.redhat.com/support/cases/#/case/02452733 added. This has been addressed by https://bugzilla.redhat.com/show_bug.cgi?id=1723466 where the audit rules have been drastically simplified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3453 |